[glib-networking/mcatanzaro/tls-interaction] gnutls: don't attempt to connect to server if TLS interaction fails
- From: Michael Catanzaro <mcatanzaro src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [glib-networking/mcatanzaro/tls-interaction] gnutls: don't attempt to connect to server if TLS interaction fails
- Date: Fri, 17 May 2019 17:47:47 +0000 (UTC)
commit f9e08883a8ad6aed00fef4d70a009e7d835fef13
Author: Michael Catanzaro <mcatanzaro igalia com>
Date: Fri May 17 11:24:26 2019 -0500
gnutls: don't attempt to connect to server if TLS interaction fails
If we fail to get a client certificate from the TLS interaction, we can
either go ahead and try to connect to the server or not. Originally, we
didn't. At some point in the past, I arbitrarily changed this to allow
trying to connect. The theory is that some servers might request a
client certificate, but allow connecting anyway even if it's not
provided, and trying to connect would allow for compatibility with such
servers.
However, I've never heard of any such server existing. So, for
simplicity, let's just fail if the TLS interaction has failed. This is
what the code originally did, anyway, and nobody ever requested a
change. We can always revisit in the future in the very unlikely event
somebody wants to connect to such a server without a client certificate.
Now, this causes a somewhat undesirable change in our test output. The
test server is no longer able to fail on G_TLS_ERROR_CERTIFICATE_REQUIRED,
because the server is no longer choosing to terminate the connection:
it's the client choosing to terminate the connection now. So instead the
error will be a generic handshake error. And we use
G_TLS_ERROR_NOT_TLS for all handshake errors (see: #63).
tls/gnutls/gtlsclientconnection-gnutls.c | 20 ++++----------------
tls/tests/connection.c | 4 ++--
2 files changed, 6 insertions(+), 18 deletions(-)
---
diff --git a/tls/gnutls/gtlsclientconnection-gnutls.c b/tls/gnutls/gtlsclientconnection-gnutls.c
index 12ea5f0..51dfa05 100644
--- a/tls/gnutls/gtlsclientconnection-gnutls.c
+++ b/tls/gnutls/gtlsclientconnection-gnutls.c
@@ -356,26 +356,14 @@ g_tls_client_connection_gnutls_retrieve_function (gnutls_session_t
if (g_tls_connection_base_request_certificate (tls, g_tls_connection_base_get_certificate_error (tls)))
g_tls_connection_gnutls_get_certificate (conn, pcert, pcert_length, pkey);
-
- if (*pcert_length == 0)
- {
- g_tls_certificate_gnutls_copy_free (*pcert, *pcert_length, *pkey);
-
- /* If there is still no client certificate, this connection will
- * probably fail, but no reason to give up: let's try anyway.
- */
- g_tls_connection_base_set_missing_requested_client_certificate (tls);
- return 0;
- }
}
- if (*pkey == NULL)
+ /* If no client certificate was provided, or the provided certificate does not
+ * have a private key, then it's time to fail.
+ */
+ if (*pcert_length == 0 || *pkey == NULL)
{
g_tls_certificate_gnutls_copy_free (*pcert, *pcert_length, *pkey);
-
- /* No private key. GnuTLS expects it to be non-null if pcert_length is
- * nonzero, so we have to abort now.
- */
g_tls_connection_base_set_missing_requested_client_certificate (tls);
return -1;
}
diff --git a/tls/tests/connection.c b/tls/tests/connection.c
index 9c9d7f3..0d62d28 100644
--- a/tls/tests/connection.c
+++ b/tls/tests/connection.c
@@ -1073,7 +1073,7 @@ test_client_auth_failure (TestConnection *test,
wait_until_server_finished (test);
g_assert_error (test->read_error, G_TLS_ERROR, G_TLS_ERROR_CERTIFICATE_REQUIRED);
- g_assert_error (test->server_error, G_TLS_ERROR, G_TLS_ERROR_CERTIFICATE_REQUIRED);
+ g_assert_error (test->server_error, G_TLS_ERROR, G_TLS_ERROR_NOT_TLS);
g_assert_true (accepted_changed);
@@ -1263,7 +1263,7 @@ test_client_auth_request_fail (TestConnection *test,
* when the GTlsInteraction's certificate request fails.
*/
g_assert_error (test->read_error, G_FILE_ERROR, G_FILE_ERROR_ACCES);
- g_assert_error (test->server_error, G_TLS_ERROR, G_TLS_ERROR_CERTIFICATE_REQUIRED);
+ g_assert_error (test->server_error, G_TLS_ERROR, G_TLS_ERROR_NOT_TLS);
g_io_stream_close (test->server_connection, NULL, NULL);
g_io_stream_close (test->client_connection, NULL, NULL);
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]